Skip to content

Commit

Permalink
Add Oauth1 to Security Scheme Object
Browse files Browse the repository at this point in the history 
This adds in the security definitions for Oauth1. It follows for from the discussions in OAI#61. It is similar to the way RAML handles it's description of Oauth1 as well.
  • Loading branch information
@starfishmod
starfishmod authored May 2, 2017
1 parent 2373c4f commit 3f93352
Showing 1 changed file with 28 additions and 3 deletions.
31 changes: 28 additions & 3 deletions versions/3.0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3369,19 +3369,24 @@ animals:
#### <a name="securitySchemeObject"></a>Security Scheme Object

Allows the definition of a security scheme that can be used by the operations.
Supported schemes are HTTP authentication, an API key (either as a header or as a query parameter) and OAuth2's common flows (implicit, password, application and access code).
Supported schemes are HTTP authentication, an API key (either as a header or as a query parameter), OAuth2's common flows (implicit, password, application and access code) and Oauth1.

This comment has been minimized.

Sign in to view

Copy link
@earth2marsh

earth2marsh May 10, 2017

Needs a capital A like OAuth1

##### Fixed Fields
Field Name | Type | Validity | Description
---|:---:|---|---
<a name="securitySchemeType"></a>type | `string` | Any | **Required.** The type of the security scheme. Valid values are `"apiKey"`, `"http"`, `"oauth2"`, `"openIdConnect"`.
<a name="securitySchemeType"></a>type | `string` | Any | **Required.** The type of the security scheme. Valid values are `"apiKey"`, `"http"`, `"oauth2"`, `"openIdConnect"`, `"oauth1"`.
<a name="securitySchemeDescription"></a>description | `string` | Any | A short description for security scheme. [CommonMark syntax](http://spec.commonmark.org/) can be used for rich text representation.
<a name="securitySchemeName"></a>name | `string` | `apiKey` | **Required.** The name of the header or query parameter to be used.
<a name="securitySchemeIn"></a>in | `string` | `apiKey` | **Required.** The location of the API key. Valid values are `"query"` or `"header"`.
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **Required.** The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC 7235](https://tools.ietf.org/html/rfc7235#section-4.2).
<a name="securitySchemeBearerFormat"></a>bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes.
<a name="securitySchemeFlows"></a>flows | [OAuth Flows Object](#oauthFlowsObject) | `oauth2` | **Required.** An object containing configuration information for the flow types supported.
<a name="securitySchemeOpenIdConnectUrl"></a>openIdConnectUrl | `string` | `openIdConnect` | **Required.** OpenId Connect URL to discover OAuth2 configuration values. This MUST be in the form of a URL.
<a name="securitySchemeOpenIdConnectUrl"></a>openIdConnectUrl | `string` | `openIdConnect` | **Required.** OpenId Connect URL to discover OAuth2 configuration values. This MUST be in the form of a URL.
<a name="securitySchemeAuthorizationUrl"></a>authorizationUrl | `string` | `oauth1` | **Required.** Resource Owner Authorization URL to send the user to the server to authorize the request. This MUST be in the form of a URL.

This comment has been minimized.

Sign in to view

Copy link
@earth2marsh

earth2marsh May 10, 2017

Consider userAuthorizationUrl to be more in line with with the spec's names: https://oauth.net/core/1.0a/#request_urls

Similarly, accessTokenUrl and requestTokenUrl

This comment has been minimized.

Sign in to view

Copy link
@starfishmod

starfishmod May 10, 2017

Author Owner

While I agree with you in theory. I am trying to use the existing terms (and how they structure them) as used by the oauth2 part of the spec. However if the spec maintainers wish to change this I have no objections.
<a name="securitySchemeTokenUrl"></a>tokenUrl | `string` | `oauth1` | **Required.** Token Credentials URL to obtain a set of token credentials from the server. This MUST be in the form of a URL.
<a name="securitySchemeRequestUrl"></a>requestUrl | `string` | `oauth1` | **Required.** Temporary Credentials URL to obtain a set of temporary credentials from the server. This MUST be in the form of a URL.
<a name="signatureMethod"></a>requestUrl | [`string`] | `oauth1` | A list of supported signatures used for authorization. Valid values are `"HMAC-SHA1"`, `"RSA-SHA1"`, or `"PLAINTEXT"`. Default vaule is `"HMAC-SHA1"`

This comment has been minimized.

Sign in to view

Copy link
@earth2marsh

earth2marsh May 10, 2017

I was wondering about callbackUrl, but I think that may not be needed as it is supplied by the client, even if it is just oob (out of band).

This comment has been minimized.

Sign in to view

Copy link
@starfishmod

starfishmod May 10, 2017

Author Owner

yeah any oob stuff is not in the spec for oauth2 either so I left it including consumer keys etc.

This object can be extended with [Specification Extensions](#specificationExtensions).

Expand Down Expand Up @@ -3432,6 +3437,26 @@ type: http
scheme: bearer
bearerFormat: JWT
```
###### Oauth1 Sample

This comment has been minimized.

Sign in to view

Copy link
@earth2marsh

earth2marsh May 10, 2017

As a title, consider OAuth 1.0a Sample

```json
{
"type": "oauth1",
"authorizationUrl": "http://example.com/api/oauth/dialog",
"tokenUrl": "http://example.com/api/oauth/token",
"requestUrl": "http://example.com/api/oauth/request",
"signatureMethod": ["RSA-SHA1"]
}
```

```yaml
type: oauth1
authorizationUrl: http://example.com/api/oauth/dialog
tokenUrl: http://example.com/api/oauth/token
requestUrl: http://example.com/api/oauth/request
signatureMethod:
- RSA-SHA1
```

###### Implicit OAuth2 Sample

Expand Down

0 comments on commit 3f93352

Please sign in to comment.